CVE-2026-11610info

Summary

by MITRE • 07/07/2026

A heap buffer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). After a successful SASL bind with integrity protection (SSF > 0), an authenticated attacker can send a specially crafted oversized LDAP UNBIND packet that is copied into a 512-byte heap receive buffer without a bounds check in sasl_io_recv() in sasl_io.c. This allows up to approximately 2 megabytes of attacker-controlled data to overflow the buffer, causing a denial of service (server crash). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, any enrolled host, or any service account can trigger this vulnerability over the network after authenticating via GSSAPI. The vulnerable code path has existed since approximately 2013 (389-ds-base 1.3.2) and was not addressed by the CVE-2025-14905 fix, which patched a separate heap overflow in schema.c only.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/07/2026

The vulnerability described represents a critical heap buffer overflow condition within the 389 Directory Server's SASL I/O layer that has persisted since version 1.3.2 released in approximately 2013. This flaw exists in the sasl_io_recv() function located in sasl_io.c, where an insufficient bounds check allows malicious data to be copied into a fixed 512-byte heap buffer during LDAP UNBIND packet processing. The vulnerability specifically manifests when an authenticated attacker establishes a SASL bind with integrity protection (SSF > 0), creating a privileged execution context that enables exploitation of this memory corruption flaw.

The technical implementation of this vulnerability leverages the existing authentication mechanism within the directory server's security framework, making it particularly dangerous as it requires only valid credentials to exploit. Attackers can craft oversized LDAP UNBIND packets containing approximately 2 megabytes of attacker-controlled data, which when processed through the vulnerable sasl_io_recv() function, overflows the designated 512-byte buffer and subsequently causes a denial of service condition leading to server crash. This type of heap overflow directly maps to CWE-121, Heap-based Buffer Overflow, and represents an exploitation vector that aligns with ATT&CK technique T1499.004 for network disruption and system compromise.

The operational impact of this vulnerability extends significantly within FreeIPA and Red Hat Identity Management environments where domain users possessing valid Kerberos tickets, enrolled hosts, or service accounts can trigger the exploit over the network after successful GSSAPI authentication. This broad attack surface means that the vulnerability affects not just privileged administrators but also regular domain users who have legitimate access to the directory services, making it particularly concerning for enterprise deployments. The persistence of this flaw despite previous security efforts is notable, as CVE-2025-14905 only addressed a separate heap overflow in schema.c and failed to resolve this particular vulnerability in the SASL I/O layer.

Mitigation strategies should focus on immediate patching of the 389 Directory Server software to address the specific bounds checking issue in sasl_io_recv() function. Organizations should also implement network segmentation and access controls that limit exposure to the directory service, particularly restricting direct network access from untrusted networks. Monitoring for unusual LDAP traffic patterns, specifically oversized UNBIND packets following successful authentication, can serve as an early detection mechanism. Additionally, implementing proper input validation and bounds checking in all I/O processing functions, especially those handling network protocols, would prevent similar vulnerabilities from emerging in other components of the directory service infrastructure. The vulnerability's existence since 2013 underscores the importance of regular security audits and thorough code reviews of long-standing software components to identify and remediate persistent security flaws that may have been overlooked during initial development phases.

Disclosure

07/07/2026

Moderation

in review

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!